The cranes that move goods in and out of America's busiest ports (some of the most essential components of our national logistics chain) are under growing scrutiny.
In a newly issued MARSEC Directive 105-5, the U.S. Coast Guard has raised red flags about the cybersecurity risks that come with ship-to-shore (STS) cranes manufactured in China. These cranes, mostly produced by state-owned enterprises like Shanghai Zhenhua Heavy Industries (ZPMC), make up nearly 80% of the STS equipment at U.S. ports.
While efficient and widely used, they are a risk to supply chains thanks to built-in vulnerabilities in their operational technology (OT) environments. In the eyes of the U.S. government, the threat has moved from the theoretical to a pressing issue tied to national security, infrastructure resilience, and the possibility of foreign cyber exploitation.
Built-in Vulnerabilities in STS Cranes
Unlike traditional IT systems, OT security in maritime environments must consider not only data confidentiality but also operational continuity and physical safety. STS cranes, in particular, rely on a complex mesh of software-controlled systems for remote operation, diagnostics, and maintenance.
This makes them highly susceptible to cyber compromise, especially if the underlying software and hardware are foreign-manufactured with limited visibility into their inner workings.
The Coast Guard's Cyber Protection Team (CPT) has identified common flaws in STS crane networks: legacy software, poor identity and access management, shared accounts, and weak network segmentation between IT and OT environments. These weaknesses, if left unaddressed, could provide cyber adversaries with a direct line to interfere with crane operations, exfiltrate sensitive logistics data, or even bring port operations to a halt.
As the Coast Guard's Cyber Trends and Insights in the Marine Environment (CTIME) report highlights, better connectivity has expanded the attack surface. The more these systems stay connected to enterprise networks (often via satellite links), the easier it is for malware to move laterally from an organization's IT infrastructure to vessel and crane operations.
Watch Your Back [Door]
At the heart of the concern is the possibility that Chinese-made cranes could be used not just for disruption, but for surveillance. The U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA), and other national security stakeholders have warned that these cranes might carry hidden backdoors, either in software or embedded firmware, that could be exploited to gather intelligence or sabotage logistics flows during geopolitical conflict.
While some experts argue that the espionage fears are overblown, the supply chain risk posed by single-country dominance in port crane manufacturing cannot be ignored. The STS crane ecosystem is too concentrated, too opaque, and too critical to U.S. trade to rely on trust alone.
In fact, the Coast Guard has specifically called out the need to scrutinize third-party maintenance contracts that might allow remote access or firmware updates without rigorous oversight. The risks are no longer hypothetical; in 2021, suspected state-sponsored attackers breached the Port of Houston's network, an incident that could have granted remote access if not detected in time.
New MARSEC Directives and Government Action
To counter these threats, the U.S. government is shifting from observation to enforcement. MARSEC Directive 105-5, building on February's MARSEC Directive 105-4, lays out stricter cyber risk management requirements for owners and operators of PRC-manufactured STS cranes. The directive contains security-sensitive information (SSI) and is distributed only to vetted stakeholders through appropriate Coast Guard channels.
Operators must now coordinate with their local Captain of the Port (COTP) or District Commander to obtain and comply with the directive. The Coast Guard is also working closely with CISA, the Department of Defense, and the Department of Transportation to ensure that port cybersecurity is aligned across agencies.
President Biden echoed these concerns at the federal level. In February 2024, he signed an executive order that bolsters the Coast Guard's authority to respond to cyber incidents and allocates $20 billion over five years to restart domestic crane manufacturing, the first investment of this nature in 30 years. The aim is to diversify the supply chain and limit dependency on Chinese systems in critical infrastructure.
Recommended Cybersecurity Measures for Port Operators
The message is clear. Port infrastructure security can no longer treat OT as an afterthought. Ports must act now to improve their cybersecurity posture, particularly when Chinese-made cranes are concerned.
Here are recommended steps for port operators and infrastructure owners:
- Review access controls and identity management: Eliminate shared accounts, enforce strong password policies, and mandate multi-factor authentication (MFA).
- Isolate crane networks: Establish strict network segmentation between IT and OT environments. Place properly configured firewalls at boundary points to deny unauthorized traffic by default.
- Audit third-party access: Reevaluate service contracts that allow remote access to crane systems. Limit or revoke unnecessary access and require adherence to cybersecurity standards.
- Patch and harden OT assets: Update legacy software, close known vulnerabilities, and harden endpoints. Where updates aren't feasible, implement compensating controls.
- Train OT personnel: Ensure crane operators and engineers are aware of basic cyber hygiene, including phishing risks, USB security, and incident reporting procedures.
- Engage with government programs: Participate in cybersecurity assessments and knowledge-sharing initiatives such as the Control Environment Laboratory Resource (CELR) launched by DHS and CISA.
These measures are rapidly becoming regulatory expectations.
Hardening the OT Perimeter of U.S. Infrastructure
The time of treating operational technology as "air-gapped" or immune from cyber risk is gone. Today, the front lines of national security increasingly run through seaports, terminals, and the connected equipment that keeps the wheels of global trade turning.
The cranes' cybersecurity issue is a wake-up call for all critical infrastructure operators. If you haven't audited your OT environment, segmented your networks, or put your supply chain dependencies under the microscope, you need to act now.
While government directives and funding initiatives are welcome, cybersecurity is a shared responsibility. By taking proactive steps to harden crane systems, segment networks, and restrict third-party access, ports and terminal operators can reduce exposure and build resilience against future threats.
OT security is a matter of national interest. Let's treat it that way.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.
